Splunk Certified Enterprise Security Administrator Exam
With Complete Solutions Latest Update
The Add-On Builder creates Splunk Apps that start with what? - ANSWER TA-
Which of the following are examples of sources for events in the endpoint security
domain dashboards? - ANSWER Workstation, notebooks, and point-of-sale systems
When creating custom correlation searches, what format is used to embed field values
in the title, description, and drill-down fields of a notable event? - ANSWER $fieldname$
What is the name of the Enterprise Security feature that downloads threat intelligence
data from a web server? - ANSWER Thread Download Manager
The Remote Access panel in User Activity dashboard is not populating with the latest
hour of data. Which data model should be reviewed first for issues, such as skipped
searches? - ANSWER Web
or
Authentication
What would you do after you have created an eventtype and extracted the appropriate
fields, in order to incorporate it into a data model node? - ANSWER Run the proper
search
What would be a good role to give a member of the security team who will take
ownership of notable events in the incident review dashboard? - ANSWER ess_analyst
Which column in the Asset or Identity list is combined with event security to make a
notable event's urgency? - ANSWER Priority
, What does the risk framework add to an object (user, server or other type) to indicate
increased risk? - ANSWER A numeric score
Which indexes are searched by default for CIM data models? - ANSWER All indexes
Which of the following settings in indexes.conf would you use to setup alternate
locations for accelerated storage? -ANSWER tstatsHomePath
Which of the following is a method to test for a property normalized data model?
-ANSWER Run a | datamodel search, compare results to the CIM documentation for the
datamodel
Which argument to the | tstats command forces the search to look only at summarized
data? -ANSWER summariesonly=t
What is a good way to store newly found IOC when investigating? - ANSWER Click the
"Add Artifact" button
How would one navigate in the The Splunk ES console to list all currently enabled ES
correlation searches? - ANSWER Configure -> Content -> Content Management -> Select
Type "Correlation" and Status "Enabled"
Which of the following is a risk of using the Auto Deployment feature of Distributed
Configuration Management to distribute indexes.conf? - ANSWER Indexes have different
settings
Which of the following are data models used by ES? - ANSWER Anomalies
At what point in the ES install is the Splunk_TA_ForIndexes.spl be deployed to the
indexers? - ANSWER After installing ES on the search head(s) and running the
distributed configuration management tool
With Complete Solutions Latest Update
The Add-On Builder creates Splunk Apps that start with what? - ANSWER TA-
Which of the following are examples of sources for events in the endpoint security
domain dashboards? - ANSWER Workstation, notebooks, and point-of-sale systems
When creating custom correlation searches, what format is used to embed field values
in the title, description, and drill-down fields of a notable event? - ANSWER $fieldname$
What is the name of the Enterprise Security feature that downloads threat intelligence
data from a web server? - ANSWER Thread Download Manager
The Remote Access panel in User Activity dashboard is not populating with the latest
hour of data. Which data model should be reviewed first for issues, such as skipped
searches? - ANSWER Web
or
Authentication
What would you do after you have created an eventtype and extracted the appropriate
fields, in order to incorporate it into a data model node? - ANSWER Run the proper
search
What would be a good role to give a member of the security team who will take
ownership of notable events in the incident review dashboard? - ANSWER ess_analyst
Which column in the Asset or Identity list is combined with event security to make a
notable event's urgency? - ANSWER Priority
, What does the risk framework add to an object (user, server or other type) to indicate
increased risk? - ANSWER A numeric score
Which indexes are searched by default for CIM data models? - ANSWER All indexes
Which of the following settings in indexes.conf would you use to setup alternate
locations for accelerated storage? -ANSWER tstatsHomePath
Which of the following is a method to test for a property normalized data model?
-ANSWER Run a | datamodel search, compare results to the CIM documentation for the
datamodel
Which argument to the | tstats command forces the search to look only at summarized
data? -ANSWER summariesonly=t
What is a good way to store newly found IOC when investigating? - ANSWER Click the
"Add Artifact" button
How would one navigate in the The Splunk ES console to list all currently enabled ES
correlation searches? - ANSWER Configure -> Content -> Content Management -> Select
Type "Correlation" and Status "Enabled"
Which of the following is a risk of using the Auto Deployment feature of Distributed
Configuration Management to distribute indexes.conf? - ANSWER Indexes have different
settings
Which of the following are data models used by ES? - ANSWER Anomalies
At what point in the ES install is the Splunk_TA_ForIndexes.spl be deployed to the
indexers? - ANSWER After installing ES on the search head(s) and running the
distributed configuration management tool
